What is GDPR?

GDPR came into effect in the UK on 25th May 2018. It stands for General Data Protection Regulation and the aim of it is to establish a single set of data protection rules across Europe. Those outside of the EU will be subject to GDPR when collecting data on individuals – this is why the UK is keeping it on after Brexit.

How Do You Define Personal Data?

Personal data is defined as anything – any information – relating to a person who can be identified, either directly or indirectly. It is irrelevant how the information is gathered: private, public or work roles are all covered by GDPR.

Numerous surveys over the past couple of years have suggested that firms need to make significant changes to how they operate in order to comply with GDPR rules.

Does This Impact My Small Business?

It makes no odds how small a business is or how much data it holds; so long as that data can identify an individual, GDPR applies. The rules – under the present Data Protection Act and GDPR – also apply to structured paper records.

If the records are searchable, they’re caught by the legislation. So client names, addresses, email addresses and phone numbers, as well as payment information is caught. Also caught would be similar information on staff and suppliers.

What Happens if I’m Not GDPR Compliant?

GDPR markedly changes the enforcement and penalty landscape. The Information Commissioner’s Office (ICO) can present levy fines of up to £500,000 under the Data Protection Act. GDPR raises that to a maximum of 4% of global turnover or 20m euros – whichever is higher.

You will need to ensure your data is kept securely, and that staff are briefed on the law. More importantly, holders of personal data will have to design safeguards into their systems which need to be appropriate and in proportion to the degree of risk associated with the data held.

Technically speaking, this could involve the encryption of personal data; ensuring the ‘ongoing confidentiality, integrity, availability and resilience of company systems’ and having the capability to quickly restore any data. Interestingly, accidental deletion of data counts as a reportable event.

The fundamental tenet of GDPR revolves around the need to require consent to be given by individuals whose data is held. Consent is specifically defined by GDPR and means ‘any freely given, specific, informed and unambiguous indication of his or her wishes, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.’

What Does This Mean for My Business?

This means firms need to be able to show how and when consent was obtained – from clients, staff and anyone else they hold data for. It cannot be obtained through pre-ticked boxes (on paper or online), and nor can it be bundled with other matters such as a contract – employment, purchase or sale.

Any data obtained must be for specific, explicit and legitimate purposes. Importantly, firms need to recognise that individuals can withdraw their consent at any time and have a right to be forgotten: if their data is no longer required for the reasons for which it was collected, or an individual makes a request, it must be erased.

Critically, if data is used for marketing, individuals cannot be contacted where consent hasn’t been given and/or the systems don’t meet the needs of GDPR.

What Do I Need to Specify?

When collecting data, it’s a requirement of GDPR that the individual must be told about:

The identity and contact details of the data-gathering business

Why the data is being collected and how it will be used

Whether the data will be transferred outside of the EU and the EEA (say to a payroll provider)

How long the data will be stored for, their right to access, correct or have the data held erased

The right to withdraw consents previously given at any time

The right to lodge a complaint with the company and the ICO

What Else Do I Need to Know About GDPR?

Importantly, GDPR demands that individuals must be told how their data is processed in a clear and understandable way.

Individuals can make requests to see their data and these must be fulfilled ‘without undue delay and at the latest within one month of receipt of the request.’

Another change brought in by GDPR requires companies to report any breaches of security ‘leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Where the breach involves personal data, companies must notify the appropriate authority, most likely the ICO, ‘without undue delay and, where feasible, not later than 72 hours after having become aware of it’ if the breach is likely to ‘result in a risk for the rights and freedoms of individuals.’ This could mean working through a weekend or bank holiday.

GDPR isn’t going anywhere and Brexit won’t save firms from having to comply. The penalties are much harsher and the ICO will be looking to make examples of businesses who break the rules. Visit ico.org.uk for more information.

Key Steps to Ensure GDPR Compliance

Ensure your staff are aware that the law has changed

Document what personal data is held, where it came from and with whom it is shared

Review your current privacy notices and make necessary changes

Review procedures to address the new rights that individuals have

Plan how you will handle requests within the new timeframes and provide the required information

Identify and document the legal basis for each type of data processing activity

Review how consent is obtained and recorded

Make sure procedures are in place to detect and investigate data breaches

Designate a Data Protection Officer to take responsibility for data protection compliance